Sign up for our weekly security newsletter

Damballa Uncovers Fresh Version of Botnet TDSS/TDL-4

Damballa Inc., lately, declared that one fresh version of the TDSS/TDL-4 malicious bot was fast growing as it used the DGA (Domain Generation Algorithm) method for communicating with its C&C (command-and-control) server.

Indeed, utilization of DGA enables the revised network of bots to quickly let messages flow from victims to the command-and-controls and vice-versa, via between domains, the modus operandi called domain fluxing quite like the technique of fast-fluxing.

From the time the latest botnet version emerged during May 2012, some 250,000 distinct targets have been infected wherein their computers belonged to ISP networks, government agencies as well as 46 enterprises from amongst the Fortune-500. Security Company Damballa stated that around 85 C&C servers were spotted along with 418 websites associated with the latest botnet, chiefly supported inside the Netherlands, Romania and Russia. According to it, a few of the websites are of RBN (Russian Business Network).

Notably, TDSS/TDL-4 represents a rootkit that contaminates PCs' MBR (master boot record) and so causes problems in repairing. The rootkit conceals all additional malicious programs present, and by now, has contaminated a massive 4.5m-or-so PCs.

Intriguingly, with the sinkhole capturing traffic of the C&C there's also revelation of fresh information regarding certain click-fraud scam that uses DGA-oriented command-and-control for sending back data following triumphant click-fraud operations that the cyber-criminals can utilize for provisioning the complete scam.

Amongst the compromised websites that the click-fraud scam exploited, doubleclick.net, facebook.com, yahoo.com, youtube.com, google.com and msn.com are the top ones.

Director of Academic Sciences, Dr. Manos Antonakakis at Damballa states that just like the company earlier reported; it's extremely worrisome for incident response groups regarding how speedily DGA-oriented interaction method is getting adopted as also about the technique's potential for evading detection by enormously sophisticated anti-malware solutions. Marketwatch.com published this dated September 17, 2012.

Dr. Antonakakis analyzes that when TDL-4, which already bypasses anti-malware solutions and can't be repaired, is accompanied with the evasive DGA-based communications it gets more-and-more problematic. Also while the rootkit provides base for other malware, along with its notoriety for sub-leasing its reach towards victims, the threat on corporate-networks seems like invisible time-bombs, which are so hard for dousing.